Hi, all. I've undertaken to teach ethereal about snort's unified log
format. This format is identical to pcap, but with some additional
information in the packet headers. So far, I've hacked the libpcap
module in wiretap, and ethereal reads the file just fine, behaving as if
it were a normal pcap.
I'm taking a bit longer to figure out how best to teach ethereal to
*display* this extra information now. As I understand it, I'll need to
write a dissector, and register it in such as way as to get it called
when appropriate. I have a couple of questions.
1. What is the best way to register this dissector? Would this be
considered a new encapsulation type? If so, I would need to make sure
that the original encapsulation type isn't lost -- the packet-eth module
needs to run whether the file is snort's or tcpdump's. Right?
2. What's the best way to save the snort-specific information, (which
was read into the wtap structure during the file read,) and use it from
within the dissector for display?
TIA for answers to these questions, as well as any other wisdom you may
think I'll find useful.
Cheers,
mds
